Presented by: The Human Rights Institute at Columbia Law School, the ACLU, the Roger Hertog Program on Law & National Security at Columbia Law School, and the International Network of Civil Liberties Organizations

Speakers: Robert Litt, General Counsel to the Office of the Director of National Intelligence; Jameel Jaffer, Deputy Legal Director & Director of Center for Democracy, American Civil Liberties Union

Editors, Guests, and Friends

Yesterday afternoon, the White House put out a statement describing its view of vulnerability disclosure: the contentious issue of whether and when government agencies should disclose their knowledge of computer vulnerabilities.

In furtherance of its surveillance goals, we recently learned about NSA’s top secret efforts to hack the Internet. Given these revelations, the public might reasonably believe the NSA is more likely to expose the public to, rather than secure people from, online threats. Some skeptics disbelieve, for example, government disavowals of advance knowledge of Heartbleed, one of the worst security holes ever found.

Yesterday’s statement by Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, tries to reassure the public that this Administration knows how to make that judgment call responsibly.

The statement starts with a disavowal of any prior knowledge of the existence of Heartbleed. Nevertheless, Daniel says:

[T]his case has re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public. As with so many national security issues, the answer may seem clear to some, but the reality is much more complicated. One thing is clear: This administration takes seriously its commitment to an open and interoperable, secure and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. This has been and continues to be the case.

However, disclosure is not always in the government’s interest and the Administration sees the zero day issue as involving significant security tradeoffs.

But there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

So Daniel wants to reassure the public that there’s a wise and sober process here which the Administration follows and which will lead to smart decisions in this difficult but important area:

This spring, we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities – so that everyone can have confidence in the integrity of the process we use to make these decisions. We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.

It’s not clear why the efforts to implement existing policy need to be “reinvigorated”. But rest assured there are “policies”, “established principles”, and an “established process”.

Without revealing what those policies or principles are, Daniel then goes on to say what he personally looks for when making decisions about whether to disclose security flaws

How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?

Does the vulnerability, if left unpatched, impose significant risk?

How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?

How likely is it that we would know if someone else was exploiting it?

How badly do we need the intelligence we think we can get from exploiting the vulnerability?

Are there other ways we can get it?

Could we utilize the vulnerability for a short period of time before we disclose it?

How likely is it that someone else will discover the vulnerability?

Can the vulnerability be patched or otherwise mitigated?

In sum, Daniel makes comforting noises. But, while the questions he asks appear facially sensible, the answers are almost unknowable. The Administration’s decisions will rest on what are essentially guesses about what might happen with network insecurity. And those guesses take place within a secret interagency process governed by secret, internally crafted policies and norms. This is how our government is deciding one of the most important security, economic, and civil liberties issues of our time—how secure and reliable modern communications technologies are going to be allowed to become.

Last week, I wrote, both here and in the New York Times, that after reading all 828 pages of the released SSCI report on the CIA’s Detention and Interrogation program and responses to it from the CIA and Republican committee members, I had concluded that the report’s focus on whether the techniques used by the CIA were “effective” was misguided, and essentially gave a pass to too many culpable actors beyond the CIA, especially in the White House, the Cabinet, and the Justice Department.… continue »

Before the start of business, Just Security provides a curated summary of up-to-the-minute developments at home and abroad. Here’s today’s news.

IRAQ and SYRIA

Iran played a critical role in the Iraqi military’s offensive to retake Tikrit from ISIS that began yesterday, contributing drones, heavy weaponry and ground forces to the operation while U.S.… continue »